Product Overview

The Cohu 3960HD is a rugged IP enabled pan/tilt/zoom camera designed for outdoor use in critical infrastructure. Research and experience shows they are often used as traffic cameras.The camera has two main interfaces for interaction, a web interface and an API.

Timeline

8/27/2015 – Discovered vulnerabilities

9/10/2015 – Shodan shows ~200 devices directly connected to internet

12/2/2015 – Internal conversations on disclosure (legal issues)

2/29/2016 – Contact with client to discuss remediation of vulnerabilities

Cleartext Transmission of Sensitive Information

The Cohu 3960HD is not capable of running the SSL libraries due to processor constraints. The lack of encrypted communications exposes both the HTTP and XMLRPC services to content sniffing and man in the middle attacks.

Missing Authentication for Critical Function

Port 1236/TCP accepts unauthenticated XML SOAP formatted commands. These commands can be used to change IP addresses, user names, and passwords The following configuration parameters can be sent:

Unrestricted Upload of File with Dangerous Type

As part of the firmware upload process, webupgrade.sh unpacks the tar file and runs postinstall.sh. Any tar file could be uploaded with a malicious postinstall.sh, which the camera would execute with root privileges.

Information Exposure Through Source Code

Due to the directory listing, and the failure of the web server to recognize .esp as server-side code, the web server displays the full source code of .esp web pages. This reveals more information about the system and potential attacks paths and targets. Multiple cases of this exist on the platform.

Client Side Enforcement of Server Side Security

Multiple cases of using client-side code to check server-side parameters and configuration changes. Client side code (Javascript) can be manipulated or disabled before being sent back to the server to inject spurious information to the system to cause failure or compromise. Sample (many other instances)

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.